62.214.197.166 wants to send email through java

Question

nizzy1115 14 Practically a Posting Shark

18 Years Ago

I've been getting this message as zone alarm asks to allow or deny this ip address from sending email from my computer. I have been using Azureus to download the new Mandrake distro and my download speed stops and i get this message. (Its usually about after 4-5 hours of downloading.)

I traced the IP using a WHOIS search and this is what i came up with:
WHOIS Record For
62.214.197.166
Record Type: IP Address

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 62.0.0.0 - 62.255.255.255
CIDR: 62.0.0.0/8
NetName: RIPE-C3
NetHandle: NET-62-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1997-04-25
Updated: 2005-08-03

Does anybody know why this is happening or if it is mallicious activity? I have always denied it but im still curious if its trying to do something mallicious.

java windows-virus

2 Contributors
13 Replies
351 Views
6 Days Discussion Span
Latest Post 18 Years Ago Latest Post by DMR

DMR 152 Wombat At Large

18 Years Ago

An nslookup of the exact IP yields:

Name: i3ED6C5A6.versanet.de
Address: 62.214.197.166

www.versanet.de redirects to Versatel, which is an ISP in the Netherlands. In other words, your computer appears to be trying to "phone home" to a computer on Versatel's Internet service.
I doubt this is what one would call a Good Thing.

* Have you run any virus/spyware utilities, and if so, what were the results?

* D0wnload the HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents can tell us if any "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

DMR 152 Wombat At Large

18 Years Ago

Sorry for not responding sooner- this week has been very busy; I haven't been able to spend much time here.

1. Do you know why this proxy setting exists?:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81

2.Download the Pocket Killbox utility.

3. Run HijackThis again and have it fix the following entries; close HJT when the fix is complete:

O4 - HKLM\..\Run: [h3yb0y] C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\service.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll
O4 - HKLM\..\Run: [h3yb0y1] C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\system.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini

4. Select/hilight the bold text below and press Ctrl+C to copy the text to the Windows' clipboard:

C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\service.exe
C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll
C:\WINDOWS\SYSTEM32\DRIVERS\etc\system.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini

5. Open the Killbox.
* Click on the File menu and choose "Paste from clipboard". The filenames above should then be pasted into the "Full path of file to delete" box.
* Select the "Delete on Reboot" option.
* Click on the icon with the red circle and white X, and choose Yes when prompted to reboot.

6. Once the system has rebooted, run another HJT scan and post the new log.

DMR 152 Wombat At Large

18 Years Ago

A) 127.0.0.1 is the "loopback" or "localhost" address, and it exists on any computer (regardless of OS) running the TCP/IP protocol. The ":81" is what I'm interested in, as that entry is telling the system to use an alternate network port (port 81) instead of the default HTTP port (80).

Zone Alarm may very well have configured the proxy; let's find out for certain:

* Open an MS-DOS window.
* At the command prompt, type netstat -aop tcp and then hit Enter. This will list your tcp connections.
* Look for the line with the localhost address listening to port 81. In the last column of that line, note the Process ID (PID).
* Now type tasklist /fi "pid eq xxxx" /v (include the quotes, and replace xxxx with the PID found by the netstat command). This will display the name of the process/program listening on that port.

DMR 152 Wombat At Large

18 Years Ago

Hmm... you're right- the output of netstat isn't shedding any light on things as far as I can tell.

Since I can't definitively say if the proxy setting is legit, I'll leave it alone for the moment. What about the rest of the cleanup; were you able to complete that sucessfully? If so, post a new HJT log for us to review.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

nizzy1115 14 Practically a Posting Shark · Answer 1 · 2006-01-16T23:08:43+00:00

Thanks for the reply. I do run adaware and spybot daily, if not more than once a day, and i never get anything more than a few cookies from normal surfing. I ran hijackthis and here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:06:16 AM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1137194151\ee\AOLSoftware.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [h3yb0y] C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\service.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll
O4 - HKLM\..\Run: [h3yb0y1] C:\WINDOWS\SYSTEM32\DRIVERS\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\system.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\serv-u.ini
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137194151\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.44/WinSSWebAgent.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{2960AFFE-7A53-4D92-90A5-C939B7F04DC1}: NameServer = 192.168.0.1,192.168.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2960AFFE-7A53-4D92-90A5-C939B7F04DC1}: NameServer = 192.168.0.1,192.168.0.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)

Thanks again for the help,
-nizzy1115

nizzy1115 14 Practically a Posting Shark · Answer 2 · 2006-01-21T23:07:08+00:00

I always wondered that as well, but i think i know the proxy 127.0.0.1:81 exists. I think it is a part of zonealarms firewall. Every computer that i install it on it shows up in and its called a "loopback adapter." I took a screen shot of it so you can see.

Do you still think i should get rid of it? Its on all 8 of my xp machines at home :eek:

Thanks again for getting back to me,
-nizzy1115

nizzy1115 14 Practically a Posting Shark · Answer 3 · 2006-01-22T01:42:53+00:00

I typed what you said but unfortunatly i do not see any thing on port 80/81. I may not be reading this right so i attached a picture of what i see of the command prompt.

Thanks again for being so helpful. :cheesy:

nizzy1115 14 Practically a Posting Shark · Answer 4 · 2006-01-22T02:20:31+00:00

Logfile of HijackThis v1.99.1
Scan saved at 2:19:29 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1137194151\ee\AOLSoftware.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Chris\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137194151\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/0.8.0794.44/WinSSWebAgent.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{2960AFFE-7A53-4D92-90A5-C939B7F04DC1}: NameServer = 192.168.0.1,192.168.0.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2960AFFE-7A53-4D92-90A5-C939B7F04DC1}: NameServer = 192.168.0.1,192.168.0.2
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)

DMR 152 Wombat At Large Team Colleague · Answer 5 · 2006-01-22T02:39:40+00:00

That log looks better, although I just noticed something: your log shows no indication that you have an anti-virus program running. What's the story there?

nizzy1115 14 Practically a Posting Shark · Answer 6 · 2006-01-22T03:07:14+00:00

That log looks better, although I just noticed something: your log shows no indication that you have an anti-virus program running. What's the story there?

im pretty sure its running isnt "O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" it?

Do you think everything is in the clear now for my computer?

DMR 152 Wombat At Large Team Colleague · Answer 7 · 2006-01-22T04:20:55+00:00

Zone Alarm is a only firewall, not an antivirus program; it can block unwanted network activity, but it doesn't detect and remove viruses or spyware.

I'd suggest downloading and installing the free AVG antivirus program; it works very well. It would also be a good idea to install Microsoft's antispyware program, which is also free. Both programs not only scan for and remove malicious programs, but they also monitor your system in real time and alert you the moment they encounter suspicious activity.

Since you've been running without any antivirus or antispyware protection installed, you should probably perform the following general detection and disinfection steps:

1. In addition to AVG and Microsoft Antispyware, download and install:

CCleaner - www.ccleaner.com
ewido Anti-malware - http://www.ewido.net/en/download/

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open AVG and use its online update function to make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

Open CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Go to Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<any other user's Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other user's Profile>\Local Settings\Temp
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK

- In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders

- Click on Run CCleaner

It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

- Run AVG, MS Antispyware, and ewido; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

3. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the logs that ewido generated.

nizzy1115 14 Practically a Posting Shark · Answer 8 · 2006-01-22T05:28:37+00:00

I'm sorry, but zonealarm is not only a firewall program, it is a firewall, antivirus, and spyware all in one. Check out my image i uploaded. There are two versions of zonealarm one is just the firewall and the other has antivirus bundled with it and about 6 months ago they added spyware to it as well.

Thanks again for all your help, its been greatly apreciated.

DMR 152 Wombat At Large Team Colleague · Answer 9 · 2006-01-22T05:44:25+00:00

Sorry- I didn't know that you had the newer, fuller version of ZA; that's cool, then.